Of the eight vendors we invited to participate in this review, four submitted products for our testing. SonicWall's Pro-VX and XPRS2 with the SonicWall Global Management System won our Editor's Choice award thanks to the products' stellar security features and management access control. The other participants were Lucent Technologies' Lucent Security Management Server (LSMS) 6.0 with Lucent VPN Firewall Brick 201 and Brick 80, Nortel Networks' Optivity Network Configuration System (NCS) with Contivity 2600 and Contivity 600 firewalls, and WatchGuard Technologies' Managed Security Service (MSS) with Firebox 2500 and Firebox 1000 firewalls.

Distributed Firewall Features Chart Click here to enlarge

NetScreen Technologies declined to participate because it's between revisions of its NetScreen-Global multiunit management platform. Check Point Software Technologies opted out because it's between revisions of Provider-1. Cisco Systems didn't take part because its solution relies heavily on third-party applications. Nokia cited lack of hardware resources to support the review.

Our requirements called for centrally managed SOHO (small office/home office) firewalls aimed at supporting networks of 50 to 250 nodes, primarily on broadband circuits. We assumed the firewall would sit between the cable modem and the internal network. The management had to support multiple customers and to provide customer access, from view-only to shared management. We defined our initial customer population at 1,000 nodes, divided among one or more companies that needed firewall protection.

We wanted to evaluate initial device configuration, multiunit management, tiered management (including customer access control to management functions), change control and auditing, and remote troubleshooting. We asked vendors to submit 10 SOHO firewalls and two central-site firewalls.

Judging the Details

Of course, firewall security is a basic requirement. We wanted devices that could filter inbound and outbound traffic and provide VPN connectivity while being centrally manageable. All the products we tested provide those services.

However, as a revenue stream, the more value-added options packaged onto the firewall, the higher the potential return on investment. While Lucent and Nortel provide basic firewall/VPN security features, advanced security capabilities, such as application proxies, content filtering and URL blocking, offered by products from SonicWall and WatchGuard, earned higher points.

Keeping initial costs low depends largely on the price of the units and licensing fees. List prices for SOHO firewalls vary greatly. Nortel's list price for 1,000 Contivity 600s comes in at a relatively low $503,000, while the list price of WatchGuard's products hits a whopping $5 million. You most likely will get bulk discount rates depending on your buying power, so we asked for list price as a starting point.

Once the customer has signed on, the difficult task of firewall rollout and maintenance begins. Again, minimizing a system engineer's time on-site lowers cost. Simple configuration and hassle-free installation not only will make installs simpler and cheaper but will let you service more customers.

To support dynamic IP addressing, you need two key items: a DHCP client on the firewall's WAN interface so you can manage IP addresses on the central DHCP server by mapping IP addresses to MAC (Media Access Control) addresses, and a DHCP server on the inside for LAN addressing. Once the firewall gets an address, you're ready to go. Of the products tested, only Lucent's Brick doesn't offer client or server DHCP support. However, both the Brick and the Firebox 1000 have the added benefit of sitting transparently in the network, and each requires only one IP address for management.

Ongoing maintenance costs, driven by the need to have a technician on-site, can chew away at profit margins. Initial configuration and installation shouldn't involve the end user, provided you gather the required information about network topology. When a device fails, shipping a new unit to a customer overnight is often less expensive than bringing in a technician to replace hardware. That means you have to preconfigure the hardware, which adds delay to the processing time.

Of the four products we tested, Lucent's LSMS and Brick has one of the best recovery methods available. You can ship a shrink-wrapped Brick directly from the warehouse to the remote site. The initial disk load contains the Brick software and initial configuration to contact the LSMS and retrieve the current policy. Just boot from the disk to load the software, remove the disk and reboot.

Watching and Waiting

There are two ways you're going to hear about hardware failure. Either the management station will notify you that it can't contact the remote firewall, or an unhappy customer will call and tell you something is wrong. The former is a lesser evil than the latter.

All the management packages monitor the firewall status to varying degrees. The red/blue color changes of SonicWall's Pro-VX and SOHO2 show status, while WatchGuard's and Lucent's products provide more detail. Only Lucent's LSMS provides a status overview of all the managed firewalls, including all the Bricks, total number of authenticated users and total number of sessions by protocol. By drilling down to the individual Bricks, you can view nearly every aspect of the Brick. WatchGuard's MSS provides slightly less functionality but more detail than SonicWall's or Nortel's products.

Detailed logging is critical when troubleshooting remote devices. Lucent's and WatchGuard's products include good, detailed logs that can be sorted and filtered, which helps pinpoint problems. However, as with any troubleshooting tools, the more intimate you are with the product, the more efficient your troubleshooting will be.

Troubleshooting remote firewalls is difficult if the WAN connection is down. Unfortunately, when the firewall goes dead on the WAN side, you're pretty much blind. If the firewall can't contact the management station, all troubleshooting tools in the GUI are useless. At that point, having a dial-up connection into the firewall for out-of-band management will pay for itself. Only WatchGuard's and Nortel's products have serial ports prepared for out-of-band management via an external modem.

We were also interested in the customer model's support for split management, as well as tiered management. Ideally, the management station should provide customized views and access controls. We found that both SonicWall's and Lucent's products shined in this area. The more detailed controls of SonicWall's product let us configure access to nearly every feature. To perform the same task with WatchGuard's MSS, we would have had to install multiple management platforms.

In the end, you may be able to provide value-added service and lessen your workload by letting the customer view and manage portions of the firewall. Some ISPs use split management, in which they contract to support a specific number of remote users, but the end organization manages specific user accounts. That model is no less valid with firewalls, as long as you can keep the management separated.

Of course, firewall changes need to be tracked for auditing and change control, so strong administrative logging is a must. Nortel's and WatchGuard's products have good administrative auditing in place.

SonicWall's solution eked out our Editor's Choice award because of its strong management structure, versatile network integration, easy SOHO firewall installation, and good logging and reporting tools. Lucent's offering could use some value-added security features, like virus scanning and content filtering.